Skip to content

Commit 0f14674

Browse files
authored
Add Terraform V4 Support (and Graviton) (#53)
* Upgrading to Terraform Provider V4
1 parent fad9b66 commit 0f14674

File tree

19 files changed

+231
-85
lines changed

19 files changed

+231
-85
lines changed

.github/workflows/testsuite-master.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
- name: setup Terraform
1414
uses: hashicorp/[email protected]
1515
with:
16-
terraform_version: 0.15.5
16+
terraform_version: 1.1.7
1717
- name: Terraform init
1818
run: terraform init --backend=false
1919
- name: tflint
@@ -31,7 +31,7 @@ jobs:
3131
- name: setup Terraform
3232
uses: hashicorp/[email protected]
3333
with:
34-
terraform_version: 0.15.5
34+
terraform_version: 1.1.7
3535
- name: Terraform init
3636
run: terraform init --backend=false
3737
- name: tfsec
@@ -46,10 +46,10 @@ jobs:
4646
steps:
4747
- uses: actions/[email protected]
4848
- name: misspell
49-
uses: reviewdog/action-misspell@v1
49+
uses: reviewdog/action-misspell@v1.11.0
5050
with:
5151
github_token: ${{ secrets.ACTIONS_TOKEN }}
52-
locale: "US"
52+
locale: "UK"
5353
reporter: github-check
5454
filter_mode: added
5555
level: error

.github/workflows/testsuite.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ jobs:
4040
- name: setup Terraform
4141
uses: hashicorp/[email protected]
4242
with:
43-
terraform_version: 0.15.5
43+
terraform_version: 1.1.7
4444
- name: Terraform init
4545
run: terraform init --backend=false
4646
- name: tflint
@@ -58,7 +58,7 @@ jobs:
5858
- name: setup Terraform
5959
uses: hashicorp/[email protected]
6060
with:
61-
terraform_version: 0.15.5
61+
terraform_version: 1.1.7
6262
- name: Terraform init
6363
run: terraform init --backend=false
6464
- name: tfsec
@@ -73,10 +73,10 @@ jobs:
7373
steps:
7474
- uses: actions/[email protected]
7575
- name: misspell
76-
uses: reviewdog/action-misspell@v1
76+
uses: reviewdog/action-misspell@v1.11.0
7777
with:
7878
github_token: ${{ secrets.ACTIONS_TOKEN }}
79-
locale: "US"
79+
locale: "UK"
8080
reporter: github-pr-check
8181
filter_mode: added
8282
level: error

.header.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,11 +47,11 @@ As such you should include the following in your provider configuration:
4747

4848
```
4949
terraform {
50-
required_version = "> 0.15.1"
50+
required_version = "> 1.0"
5151
required_providers {
5252
aws = {
5353
source = "hashicorp/aws"
54-
version = "~> 3.0"
54+
version = "~> 4.0"
5555
configuration_aliases = [aws.ue1]
5656
}
5757
}
@@ -66,6 +66,9 @@ provider "aws" {
6666

6767
The `ue1` alias is essential for this module to work correctly.
6868

69+
## Severless Static Wordpress V2 Upgrade Guide
70+
See [UPGRADING](docs/UPGRADING.md) for Version 2 upgrade guidance, including for Version 4 of the AWS Terraform Provider.
71+
6972
## Module instantiation example
7073

7174
```

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ repos:
3333
args: ["--output-file", "README.md", "markdown", "modules/waf"]
3434
pass_filenames: false
3535
- repo: https://github.com/antonbabenko/pre-commit-terraform
36-
rev: v1.31.0
36+
rev: v1.64.0
3737
hooks:
3838
- id: terraform_fmt
3939
- id: terraform_tflint

CHANGELOG.md

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,35 @@
11
# Changelog
22

3+
## 0.2.0 - UNRELEASED
4+
5+
! BREAKING CHANGES ! - See [UPGRADING.md](docs/UPGRADING.md) for guidance on upgrading from v0.1.x
6+
7+
### **Maintenance**:
8+
9+
- Module upgraded to AWS Terraform v4. Existing installations will need Terraform state moved for forwards
10+
compatibility.
11+
12+
### **New Features**
13+
- Added support for Graviton-based CodeBuild if supported in deployment region. Will gracefully fallback to
14+
non-Graviton if not supported.
15+
- Added support for Graviton-based ECS Fargate if supported in deployment region. Will fallback to non-Graviton
16+
if not supported, however source docker image used for ECS container MUST be AMD64/ARM64 architecture respectively.
17+
Note FARGATE_SPOT is not supported for Graviton-based ECS at this time.
18+
- Added healthCheeck block to ECS Task Definition.
19+
- Added EventBridge monitoring for ECS Service Action events (which captures placement failures when using FARGATE_SPOT
20+
capacity provider)
21+
322
## 0.1.2 - 23rd June 2021
423

5-
Bugfix: Changed special characters used in RDS password generation to ensure compatibility.
6-
Docs: Updated to fix typos in helper commands, and detailed supported RDS Aurora v1 regions.
24+
- **Bugfix**: Changed special characters used in RDS password generation to ensure compatibility.
25+
- **Docs**: Updated to fix typos in helper commands, and detailed supported RDS Aurora v1 regions.
726

827
## 0.1.1 - 19th June 2021
928

10-
Bugfix: Refactor md5 calculation on archive_file in codebuild child module.
11-
Bugfix: Re-typed AWS account number as string to avoid rounding on account numbers prepended with zeros.
12-
Bugfix: Fix passed WAF variable values if set to inactive.
29+
- **Bugfix**: Refactor md5 calculation on archive_file in codebuild child module.
30+
- **Bugfix**: Re-typed AWS account number as string to avoid rounding on account numbers prepended with zeros.
31+
-- **Bugfix**: Fix passed WAF variable values if set to inactive.
1332

1433
## 0.1.0 - 19th June 2021
1534

16-
Initial release of Serverless Static Wordpress Terraform module.
35+
- Initial release of Serverless Static Wordpress Terraform module.

README.md

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -48,11 +48,11 @@ As such you should include the following in your provider configuration:
4848

4949
```
5050
terraform {
51-
required_version = "> 0.15.1"
51+
required_version = "> 1.0"
5252
required_providers {
5353
aws = {
5454
source = "hashicorp/aws"
55-
version = "~> 3.0"
55+
version = "~> 4.0"
5656
configuration_aliases = [aws.ue1]
5757
}
5858
}
@@ -67,6 +67,9 @@ provider "aws" {
6767

6868
The `ue1` alias is essential for this module to work correctly.
6969

70+
## Severless Static Wordpress V2 Upgrade Guide
71+
See [UPGRADING](docs/UPGRADING.md) for Version 2 upgrade guidance, including for Version 4 of the AWS Terraform Provider.
72+
7073
## Module instantiation example
7174

7275
```
@@ -229,6 +232,8 @@ For any issues relating to this module, [raise an issue against this repo.](http
229232
| <a name="input_cloudfront_class"></a> [cloudfront\_class](#input\_cloudfront\_class) | The [price class](https://aws.amazon.com/cloudfront/pricing/) for the distribution. One of: PriceClass\_All, PriceClass\_200, PriceClass\_100 | `string` | `"PriceClass_All"` | no |
230233
| <a name="input_ecs_cpu"></a> [ecs\_cpu](#input\_ecs\_cpu) | The CPU limit password to the Wordpress container definition. | `number` | `256` | no |
231234
| <a name="input_ecs_memory"></a> [ecs\_memory](#input\_ecs\_memory) | The memory limit password to the Wordpress container definition. | `number` | `512` | no |
235+
| <a name="input_graviton_codebuild_enabled"></a> [graviton\_codebuild\_enabled](#input\_graviton\_codebuild\_enabled) | Flag that controls whether CodeBuild should use Graviton-based build agents in [supported regions](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html). | `bool` | `false` | no |
236+
| <a name="input_graviton_fargate_enabled"></a> [graviton\_fargate\_enabled](#input\_graviton\_fargate\_enabled) | Flag that controls whether ECS Fargate should use Graviton-based containers in [supported regions]https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate-Regions.html). | `bool` | `false` | no |
232237
| <a name="input_hosted_zone_id"></a> [hosted\_zone\_id](#input\_hosted\_zone\_id) | The Route53 HostedZone ID to use to create records in. | `string` | n/a | yes |
233238
| <a name="input_launch"></a> [launch](#input\_launch) | The number of tasks to launch of the Wordpress container. Used as a toggle to start/stop your Wordpress management session. | `number` | `"0"` | no |
234239
| <a name="input_main_vpc_id"></a> [main\_vpc\_id](#input\_main\_vpc\_id) | The VPC ID into which to launch resources. | `string` | n/a | yes |
@@ -265,8 +270,8 @@ For any issues relating to this module, [raise an issue against this repo.](http
265270

266271
| Name | Version |
267272
|------|---------|
268-
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
269-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
273+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.7 |
274+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
270275
| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.1.0 |
271276
## Resources
272277

@@ -279,6 +284,7 @@ For any issues relating to this module, [raise an issue against this repo.](http
279284
| [aws_db_subnet_group.main_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
280285
| [aws_ecr_repository.serverless_wordpress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
281286
| [aws_ecs_cluster.wordpress_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
287+
| [aws_ecs_cluster_capacity_providers.wordpress_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster_capacity_providers) | resource |
282288
| [aws_ecs_service.wordpress_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
283289
| [aws_ecs_task_definition.wordpress_container](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
284290
| [aws_efs_access_point.wordpress_efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point) | resource |
@@ -307,4 +313,5 @@ For any issues relating to this module, [raise an issue against this repo.](http
307313
| [random_password.serverless_wordpress_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
308314
| [aws_iam_policy_document.ecs_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
309315
| [aws_iam_policy_document.wordpress_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
316+
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
310317
<!-- END_TF_DOCS -->

docs/UPGRADING.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
## Upgrading from 0.1.x to 0.2.x
2+
3+
Version 0.2 of Serverless Static Wordpress makes numerous updates to the resources used to deploy the solution, as well
4+
as expanding functionality with additional options.
5+
6+
Where possible, this has been done in a way to be as backwards compatible as reasonably possible - however there are a
7+
variety of quirks of Terraform behaviour that can mean that this is imperfect, and may require a manual tweak either to
8+
the configuration in AWS, or to the Terraform state backing the resources.
9+
10+
### Upgrading to Version 4 of the Terraform AWS Provider
11+
Version 4 of the AWS Provider introduced a few breaking changes to the way ECS and S3 resources are defined. Attributes
12+
that would normally be specified as part of the single resource definition have now been split out into their own
13+
resources. To cope with this, we have created these resources, and _existing_ resources can be handled with some
14+
terraform state operations. To date, these are documented as follows.
15+
16+
NOTE, in these examples, the example `site_name` is `peterdotcloud` and the resources are named accordingly. You will
17+
need to substitute these values with the value used for your own deployment
18+
19+
```
20+
terraform import module.peterdotcloud_website.aws_ecs_cluster_capacity_providers.wordpress_cluster peterdotcloud_wordpress
21+
terraform state rm module.peterdotcloud_website.module.codebuild.aws_s3_bucket_object.wordpress_dockerbuild
22+
terraform import module.peterdotcloud_website.module.codebuild.aws_s3_object.wordpress_dockerbuild peterdotcloud-build/wordpress_docker.zip
23+
terraform import module.peterdotcloud_website.module.cloudfront.aws_s3_bucket_server_side_encryption_configuration.wordpress_bucket www.peter.cloud
24+
terraform import module.peterdotcloud_website.module.codebuild.aws_s3_bucket_acl.code_source peterdotcloud-build
25+
terraform import module.peterdotcloud_website.module.codebuild.aws_s3_bucket_server_side_encryption_configuration.code_source peterdotcloud-build
26+
```
27+
### Graviton
28+
29+
With support for ARM in CodeBuild, and in ECS in regions where it is supported (strictly better for cost/performance),
30+
the module will need to recreate your task definition and ECS service. This is nothing to be concerned with however you
31+
**must** ensure your base image of Wordpress is an arm64 platform version (and preferably linux/arm64/v8) otherwise
32+
your Wordpress container will error out with `exec user process caused: exec format error` which indicates your image
33+
is of the mismatched architecture.
34+
35+
Note that when using Graviton-based containers for ECS, FARGATE_SPOT is not currently available (bear this in mind for
36+
cost).

ecs.tf

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
data "aws_region" "current" {}
2+
13
resource "aws_efs_file_system" "wordpress_persistent" {
24
encrypted = true
35
lifecycle_policy {
@@ -123,6 +125,11 @@ resource "aws_ecs_task_definition" "wordpress_container" {
123125
site_name = var.site_name
124126
})
125127

128+
runtime_platform {
129+
operating_system_family = "LINUX"
130+
cpu_architecture = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "X86_64" : "ARM64") : "X86_64"
131+
}
132+
126133
cpu = var.ecs_cpu
127134
memory = var.ecs_memory
128135
requires_compatibilities = ["FARGATE"]
@@ -218,7 +225,7 @@ resource "aws_ecs_service" "wordpress_service" {
218225
desired_count = var.launch
219226
# iam_role =
220227
capacity_provider_strategy {
221-
capacity_provider = "FARGATE_SPOT"
228+
capacity_provider = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE"
222229
weight = "100"
223230
base = "1"
224231
}
@@ -236,10 +243,14 @@ resource "aws_ecs_service" "wordpress_service" {
236243
# TODO: Add option to enable container insights
237244
#tfsec:ignore:AWS090
238245
resource "aws_ecs_cluster" "wordpress_cluster" {
239-
name = "${var.site_name}_wordpress"
240-
capacity_providers = ["FARGATE_SPOT"]
246+
name = "${var.site_name}_wordpress"
247+
}
248+
249+
resource "aws_ecs_cluster_capacity_providers" "wordpress_cluster" {
250+
cluster_name = aws_ecs_cluster.wordpress_cluster.name
251+
capacity_providers = [var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE"]
241252
default_capacity_provider_strategy {
242-
capacity_provider = "FARGATE_SPOT"
253+
capacity_provider = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE"
243254
weight = "100"
244255
base = "1"
245256
}

main.tf

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,15 @@ module "lambda_slack" {
77
}
88

99
module "codebuild" {
10-
source = "./modules/codebuild"
11-
site_name = var.site_name
12-
site_domain = var.site_domain
13-
codebuild_bucket = "${var.site_name}-build"
14-
main_vpc_id = var.main_vpc_id
15-
wordpress_ecr_repository = aws_ecr_repository.serverless_wordpress.name
16-
aws_account_id = var.aws_account_id
17-
container_memory = var.ecs_memory
10+
source = "./modules/codebuild"
11+
graviton_codebuild_enabled = var.graviton_codebuild_enabled
12+
site_name = var.site_name
13+
site_domain = var.site_domain
14+
codebuild_bucket = "${var.site_name}-build"
15+
main_vpc_id = var.main_vpc_id
16+
wordpress_ecr_repository = aws_ecr_repository.serverless_wordpress.name
17+
aws_account_id = var.aws_account_id
18+
container_memory = var.ecs_memory
1819
}
1920

2021
module "cloudfront" {

modules/cloudfront/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ No requirements.
4444
| [aws_s3_bucket.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
4545
| [aws_s3_bucket_policy.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
4646
| [aws_s3_bucket_public_access_block.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
47+
| [aws_s3_bucket_server_side_encryption_configuration.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
4748
| [archive_file.index_html](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
4849
| [aws_iam_policy_document.lambda-edge-cloudwatch-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
4950
| [aws_iam_policy_document.lambda-edge-service-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

modules/cloudfront/distribution.tf

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,16 @@
11
# TODO: Add optional logging for S3 bucket
22
# TODO: Add optional versioning for S3 bucket
3-
#tfsec:ignore:AWS002 #tfsec:ignore:AWS077
3+
#tfsec:ignore:AWS002 #tfsec:ignore:AWS017 #tfsec:ignore:AWS077
44
resource "aws_s3_bucket" "wordpress_bucket" {
55
bucket = "${var.site_prefix}.${var.site_domain}"
66
force_destroy = true
7-
server_side_encryption_configuration {
8-
rule {
9-
apply_server_side_encryption_by_default {
10-
sse_algorithm = "AES256"
11-
}
7+
}
8+
9+
resource "aws_s3_bucket_server_side_encryption_configuration" "wordpress_bucket" {
10+
bucket = aws_s3_bucket.wordpress_bucket.bucket
11+
rule {
12+
apply_server_side_encryption_by_default {
13+
sse_algorithm = "AES256"
1214
}
1315
}
1416
}

0 commit comments

Comments
 (0)